Report: Building trust into software takes a team of tests

It’s rare for a single change in a product to make it significantly better and safer — it’s almost always a combination.

The safety of today’s vehicles is an obvious example. Seatbelts, first installed in cars in the 1950s, help protect passengers in a crash, but airbags, which came along a couple of decades later, help just as much or more in a different way. More recent inventions — antilock brakes and collision avoidance technology — can help avoid a crash entirely. Collectively, they mean you can put much more trust in the safety of your car.

That applies to software security as well, which is one of the major findings of “2024 Software Vulnerability Snapshot,” a new report by the software security company Black Duck (Disclosure: I write for Black Duck.)

The report documents that combinations of testing tools are, well, more comprehensive. An automated tool like dynamic application security testing (DAST) is crucial to help developers find defects in an application’s software when they give it a test run. DAST is a so-called “black box” testing method that analyzes running applications without any privileged access to their design, architecture, internals, or running state — much like the view of a malicious hacker.

And the major focus of the Black Duck report is on DAST — the result of data analysis from more than 200,000 DAST scans on about 1,300 applications across 19 industry sectors. But DAST can’t do it all — it’s crucial but not sufficient. No single tool is. The report’s conclusion is that “a comprehensive approach is essential” to build trust into web-based applications.

That comprehensive approach combines DAST with static application security testing (SAST) and software composition analysis (SCA). The three form a so-called “trinity of application security,” that enables security teams to “achieve the most comprehensive coverage throughout the software development life cycle,” according to the report, which conducted its analyses from June 2023 to June 2024.

SAST excels at testing code and flagging mistakes as it is being written — you could think of it as a bit like spellcheck. But it can miss defects that don’t become apparent until the code is running, which is where DAST comes in.

And SCA helps developers find open source and other third-party components, like libraries and frameworks, in a codebase and lets them know if those components have any known vulnerabilities or potential licensing conflicts. That’s also crucial, given that open source is in nearly all modern codebases and comprises an average of 76% of them.

Among other key findings of the report are that there is plenty to fix to make software more secure, and that DAST is one very good way to find what to fix. The scans identified 96,917 vulnerabilities — an average of nearly one for every two scans.

How risky are those vulnerabilities? None of them are trivial, but some can enable more damage than others. The top three critical-risk vulnerabilities included

• Cryptographic failures, which put sensitive data at risk. The scans found that 87% of the organizations surveyed had a combined 30,712 of those failures in their code, with 4,882 considered critical risk. These defects included failure to encrypt important data when it is exposed to the internet, using weak or outdated encryption methods, and/or failure to protect what is supposed to be secret information, like passwords.
• Injection vulnerabilities such as cross-site scripting can allow attackers to insert malicious code or commands into an application, giving them the capability to execute malicious actions or to access data without authorization. The scans found 2,415 of those vulnerabilities across 41% of the surveyed organizations, with nearly all of them — 2,256 — considered critical. Injection vulnerabilities occur when the software of the application fails to validate or sanitize user input before it is used in database queries, operating system commands, or web page content.
• Information leakage refers to the unintentional exposure of sensitive information through error messages, comments, or other application responses that can be leveraged by attackers to gain insights into the system’s architecture or vulnerabilities. The scans found 8,097 of those vulnerabilities affecting 66% of organizations, with 510 considered critical.

Other critical risks affecting a smaller number of organizations included cross-site request forgery, abuse of functionality, HTTP response splitting, content spoofing, path traversal, insufficient password policy implementation, and insufficient process validation.

The potential damage from undetected vulnerabilities depends in part on how easy they are to exploit and how much damage they can cause. Other factors that can affect the level of damage include

• The risk level of industry sectors. At the top of the high-risk list were the finance and insurance sector with 1,299 critical vulnerabilities, healthcare and social assistance with 992, and information services with 446. That is especially worrisome because those sectors are where a lot of money and sensitive personal information are.
• Time to close. This refers to how long it takes an organization to fix a vulnerability once a patch is available. Predictably, the longer it remains unaddressed, the more likely it is to get exploited. According to the report, the utilities sector took the longest to fix critical vulnerabilities, ranging from an average of 107 to 876 days depending on the size of the organization. You don’t need a calculator to know that the larger number gives hackers more than two years to exploit them.

The educational services sector was second, with closure times ranging from a single day up to 342. Sectors with the shortest time to close were finance and insurance (28 to 78 days) and healthcare and social assistance (20 to 87 days).

The report also found that “small and medium-complexity [web]sites tended to have more critical vulnerabilities than larger sites, particularly in the finance and insurance sector. This suggests that organizations may be underestimating the security needs of smaller sites or less complex applications.”

Multiple troubles

The possible results of unaddressed defects like these are predictable, and none of them are good.

When data isn’t secure, attackers can steal it — everything from confidential personal, medical, and business data to financial and login credentials. They can also encrypt it and demand ransom payments that can easily reach into the millions. According to one estimate, ransomware victims paid nearly $460 million to attackers in just the first half of this year. And most experts say a significant percentage of ransomware attacks and payments never get reported.

Second, vulnerabilities can lead to regulatory penalties. If an educational institution’s information system is breached, for example, the personal information, academic records, and financial details of hundreds to thousands of students could be compromised. That could lead to identity theft, academic fraud, and violation of privacy laws like the Family Educational Rights and Privacy Act.

Indeed, there are multiple data protection laws and regulations, some that focus on specific sectors like critical infrastructure, the payment card industry, and healthcare, while others are more general, like the EU’s General Data Protection Regulation. But failure to comply with any of them can lead to severe regulatory sanctions.

Third, breaches can disrupt the operation of an organization. According to the report, “security misconfigurations and denial-of-service vulnerabilities across industry sectors threaten business continuity and service availability.”

That kind of damage can go well beyond inconvenience or delayed paychecks. In sectors like healthcare, it can be catastrophic. A major attack could easily compromise electronic health records, lead to medication errors due to pharmacy interruptions, and even take down critical, life-saving medical devices including ventilators, infusion pumps, and heart monitors.

A power grid vulnerability that remains unpatched could allow an attacker to cut power to millions of households. Or a water treatment vulnerability could lead to contamination of the water supply for an entire community.

Be a tough target

But amid the harsh reality that everybody is a target, there is some good news — nobody is helpless. While there is no such thing as 100% security, the report documents that the trinity of AppSec testing tools can make you and your organization a much more difficult target in a world where most attackers are looking for easy targets.

As the report recommends, the obvious priority should be to fix critical defects — the ones that can let attackers do the most damage. Also to fix them faster — the more an organization can reduce time to close, the more secure it will be.

Even better is to use the three complementary testing tools — SAST, DAST, and SCA — during development, to catch defects before an application is exposed to the internet. If you don’t have vulnerabilities, you don’t have to worry about time to close.

Overall, the data in the report makes an overwhelming case that software security needs to be better. As Jason Schmitt, CEO of Black Duck puts it, “The high number of vulnerabilities found from the past year is a clear wake-up call that businesses cannot remain stagnant when deploying new security measures.”

“The longer it takes for an organization to patch a vulnerability, the larger the chance of exploitation,” he said. “Software risk equates to business risk, and with today’s malicious actors being more sophisticated than ever, it’s increasingly important that businesses across every sector build trust in their software by implementing a comprehensive and integrated approach.”

That approach means integrating DAST, SAST, and SCA into development and deployment processes. By doing so, organizations can identify and remediate vulnerabilities more effectively, ensure compliance with regulatory requirements, and build trust into their software.